Roundcube over https



  • Hello

    I am struggling to make Roundcube run on https using certificates from Letsencrypt. Using the guidance in the documentation and some postings on the mailing list I got the other parts of Kolab to use the certificates without much hassle. Although I note that many of the changes prescribed in the howto has no target any longer.

    I got the certificates to work with imap, postfix, guam and on the kolab-webadmin pages - but I cant figure out how to make Roundcube work over https. When I contact Roundcube over https: login is refused: "Your session is invalid or expired."

    If I remove the https redirect I can still login without ssl.

    I use kolab 16 on Centos 7.3

    Has anybody any clue on which changes is needed to make Roundcube cooperate.

    --
    Regards
    Klaus


  • Global Moderator

    I would love to know how you got so far!
    Have been struggling with this for some time and found the documentation was not up to par also.



  • I created a virtual host to access roundcubemail as webmail.domain.tld and this works quite fine.

    The steps to configure Let's Encrypt Certificates

    yum install httpd mod_ssl python-certbot-apache
    

    configure firewall (open https)

    firewall-cmd --add-service=https --permanent
    

    get Let's Encrypt certs

    certbot --apache -d vhost4.exampledomain.eu -d webmail.exampledomain.eu /
                     -d mail.exampledomain.eu -d imap.exampledomain.eu /
    				 -d smtp.exampledomain.eu -d ssl.exampledomain.eu /
    				 -d admin.exampledomain.eu -d dav.exampledomain.eu /
    				 -d www.exampledomain.eu
    

    create virtual host config file (detaied contend below)

    vi /etc/httpd/conf.d/webmail.exampledomain.eu.conf 
    

    test httpd config (before restart)

    apachectl configtest
    

    restart httpd (if configtest was ok)

    systemctl restart httpd
    

    check what the journals say

    journalctl -xe
    

    check provided services listening

    netstat -tulpen
    

    test virtual server response

    curl -k https://webmail.exampledomain.eu
    

    Here the config I have for this virtual host:

    [root@vhost4 ~]# cat /etc/httpd/conf.d/webmail.exampledomain.eu.conf
    <VirtualHost *:443>
    	ServerName webmail.exampledomain.eu
    	ServerAlias vhost4.exampledomain.eu
    	ServerAlias mail.exampledomain.eu
    
    	DocumentRoot "/usr/share/roundcubemail/public_html/"
    
    	ErrorLog logs/ssl_error_log
    	TransferLog logs/ssl_access_log
    	LogLevel warn
    
    	SSLEngine on
    	SSLProtocol All -SSLv2 -SSLv3
    	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    	SSLHonorCipherOrder on
    	SSLCertificateFile /etc/letsencrypt/live/vhost4.exampledomain.eu/cert.pem
    	SSLCertificateKeyFile /etc/letsencrypt/live/vhost4.exampledomain.eu/privkey.pem
    	SSLCertificateChainFile /etc/letsencrypt/live/vhost4.exampledomain.eu/chain.pem
    
    	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    	    SSLOptions +StdEnvVars
    	</Files>
    	<Directory "/var/www/cgi-bin">
    	    SSLOptions +StdEnvVars
    	</Directory>
    
    	BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    	CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    	<ifModule mod_rewrite.c>
    	    RewriteEngine On
    	    RewriteRule ^/[a-f0-9]{16}/(.*) /$1 [PT,L]
    	</ifModule>
    
    	Alias /chwala /usr/share/chwala/public_html/
    	Alias /helpdesk-login /usr/share/roundcubemail/public_html/
    
    	Redirect permanent /freebusy https://freebusy.exampledomain.eu/freebusy
    	Redirect permanent /Microsoft-Server-ActiveSync https://activesync.exampledomain.eu/Microsoft-Server-ActiveSync
    
    	Alias /roundcubemail /usr/share/roundcubemail/public_html/
    	Alias /webmail /usr/share/roundcubemail/public_html/
    
    	<LocationMatch "/assets/">
    	    <IfModule mod_deflate.c>
    	        SetEnv no-gzip
    	    </IfModule>
    	    <IfModule mod_expires.c>
    	        ExpiresActive On
    	        ExpiresDefault "access plus 1 month"
    	    </IfModule>
    	</LocationMatch>
    	<Directory "/usr/share/chwala/public_html/">
    	    AllowOverride None
    	    <ifModule mod_authz_core.c>
    	        Require all granted
    	    </ifModule>
    	    <ifModule !mod_authz_core.c>
    	        Order allow,Deny
    	        Allow from All
    	    </ifModule>
    	</Directory>
    
    	<Directory "/usr/share/roundcubemail/">
    	    AllowOverride None
    	</Directory>
    
    	<Directory "/usr/share/roundcubemail/public_html">
    	    Options +FollowSymLinks
    	    AllowOverride None
    
    	    <ifModule mod_rewrite.c>
    	        RewriteEngine On
    	        RewriteRule ^[a-zA-Z0-9]{16}/(.*) /%1/$1 [PT,L]
    	    </ifModule>
    	    <ifModule mod_authz_core.c>
    	        Require all granted
    	    </ifModule>
    	    <ifModule !mod_authz_core.c>
    	        Order Allow,Deny
    	        Allow from All
    	    </ifModule>
    	</Directory>
    </VirtualHost>
    


  • @Nicolai I'v offline for a couple of days but thanks for sharing your config. I'll give a try tomorrow.



  • UPDATE: I think i'v found the reason now: You can not access 2 different roundcube installations on the same domain. Even tough the were on different servers and addressed as 2 separate subdomains the session cookies seem to get messed up. To be able to log in on my new install, I have to go to History and use the Forget all on the old Roundcube install url, every time i have used the old site.

    Just to follow up on this problem: After several days of hair pulling I tried to login using google-chrome and it just works! I can not say for sure what is the problem, but using Firefox on OpenSUSE just will not login over https. Without https - no problem.
    Subsequently I have tried all 3 main browser (firefox, ie and g-chrome) on a windows 7 machine I borrowed - no problem with any browser. I have only one plugin installed on my OpenSUSE machine, namely privacybadger - but installing that on the Windows machine did not reveal any problem either.
    At the moment I am just puzzled. I have - and are still using Firefox to access my old Roundcube install and that still works perfectly.


Log in to reply